Search
JOIN OUR NETWORK

     

     

 

 

« Vulnerability of nuclear-related ICS/SCADA systems to cyber-attack, and the risk of catastrophic releases of hazardous radioactivity | Main | Gusterson in BAS: "How the next US nuclear accident could happen" »
Monday
Oct052015

Chatham House: "Cyber Security at Civil Nuclear Facilities: Understanding the Risks"

Workers at the Wolsong nuclear power plant participate in an anti-cyber attack exercise, Gyeongju, South Korea. Photo: Getty Images.On Oct. 5, 2015, Chatham House/The Royal Institute of International Affairs published a report entitled Cyber Security at Civil Nuclear Facilities: Understanding the Risks.

The report does perform the public service of making abundantly clear that the risks of cyber attacks at nuclear power plants, and other nuclear power related facilities, are very serious. And that the nuclear power industry, and the government agencies in charge of protecting public health, safety, security, and the environment are not taking the risk of cyber attacks anywhere near seriously enough.

However the report also does the disservice of assuming that the nuclear power industry is essential, and must be continued. This is quite debatable, especially given the serious risks that cyber attacks represent for not only electric reliability on a large scale, but also in terms of the potential for catastrophic release of hazardous ionizing radioactivity -- risks this report itself acknowledges.

The report also does the disservice of naming anti-nuclear organizations as a potential source of cyber attacks on nuclear facilities. This unfortunately continues a trend of demonizing environmental opponents of nuclear power, as well as concerned citizens, who have devoted themselves to preventing radiological disasters, and in a non-violent manner.

The study reports a number of publicly known cyber attacks, and other cyber incidents, at nuclear power plants, while it hastens to add that the nuclear power industry itself is very likely concealing information about a much larger number of such incidents. As the study reports:

While only a few cyber attacks on nuclear facilities have been made public, one estimate (Source 8) puts the number of major incidents that have affected industrial control systems as high as 50 (this is in addition to frequent routine attacks on business networks):

What people keep saying is 'wait until something big happens, then we'll take it seriously.' But the problem is that we have already had a lot of very big things happen. There have probably been about 50 actual control systems cyber incidents in the nuclear industry so far, but only two or three have been made public. (Page 15, or 26 of 53 on the PDF counter)

The report does, however, document the following cyber attacks and other incidents that are publicly known:

Known cyber security incidents at nuclear facilities

Ignalina nuclear power plant (Lithuania, 1992)...Davis-Besse nuclear power plant (Ohio, 2003)...Browns Ferry nuclear power plant (Alabama, 2006)...Hatch nuclear power plant (Georgia, 2008)...Natanz [uranium enrichment] facility and Bushehr nuclear power plant -- Stuxnet (Iran, 2010)...Unnamed Russian nuclear power plant -- Stuxnet (circa 2010)...Korea Hydro and Nuclear Power Co. commercial network (South Korea, 2014)

(See Box 1, on Page 3 to 5, or 14 to 16 of 53 on the PDF counter, for more detailed information on each cyber security incident)

Cyber Security at Civil Nuclear Facilities: Understanding the Risks - See more at: https://www.chathamhouse.org/publication/cyber-security-civil-nuclear-facilities-understanding-risks#sthash.lfNUIyca.dpuf
Cyber Security at Civil Nuclear Facilities: Understanding the Risks - See more at: https://www.chathamhouse.org/publication/cyber-security-civil-nuclear-facilities-understanding-risks#sthash.lfNUIyca.dpuf